VPN: step-by-step

Thank you very much for that tip Oliver, that worked out for me too with Synology VPN server

cheers

I went the Softether VPN route and everything seems to be set up correctly. Roon 1.7 on iOS would crash after a couple seconds of playing over LTE/4G though. The L2TP VPN connection seems to be rock solid. Any idea what could cause this?

Edit: Funny enough, after rebooting my phone this VPN solution seems now to be running stable. I’ve used 4G and WiFi in the Netherlands this weekend to stream Roon music from my NUC in Cologne, Germany :slight_smile:

1 Like

I’m wondering if there’s a way to implement the Softether option to a pfSense router. That would be ideal as I have OpenVPN server running already on that router but unfortunately it won’t do the trick with Roon as OpenVPN does not seem to be compatible.

Anyone got any experience with this?

Thanks for the guide! I had a pi4 I was planning on setting up piVPN on, but tried the softether method in your guide. Works like a charm, I changed the startup method to systemd, and used the ethernet port since the wireless on the Pi wouldn’t work as the bridge.

1 Like

Hi Joshua if you have a RBPi3 WiFi should work … here another manual I followed… hope it helps You!

Cheers, Max

Wifi dongle (The Pi 3 has WiFi inbuilt)

Ethernet Connection

Optional

Raspberry Pi Case

Setting up the WiFi Bridge

To setup the Raspberry Pi Wifi bridge we will be utilizing the dnsmasq package, this package handles most of the grunt work for this tutorial.

Dnsmasq is a package that acts as both a local DHCP server and a local DNS server. We utilize this package so that we can assign IP addresses and process DNS requests through the Raspberry Pi itself and act like a router.

One of the bonuses to utilizing dnsmasq is that it is very easy to configure while being somewhat lightweight in comparison to the isc-dhcp-server and bind9 packages.

Remember for this tutorial you will need to have an active WiFi router to connect to and an ethernet device you intend on bridging the Wi-Fi connection to.

1. Before we get started with installing and setting up our packages, we will first run an update on the Raspberry Pi by entering the following two commands into the terminal.

sudo apt-get update

sudo apt-get upgrade

2. With that done we can now install the one and only package we will be utilizing, run the following command to install dnsmasq.

sudo apt-get install dnsmasq

3. Before we get too far ahead of ourselves, we should setup the wlan0 connection that we plan on using. If you have already setup your wireless connection then you can skip ahead to step 5.

Otherwise open up the wpa_supplicant file by running the following command:

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

4. Within this file add the following, making sure you replace the ssid with the name of the network you want to connect to and replace the psk value with the password for that network.

network={

ssid=“networkname”

psk=“networkpassword”

}

5. With the wireless network now setup to correctly connect we can proceed with setting up our eth0 interface . This will basically force it to use a static IP address, not setting this up can cause several issues.

To do this we need to modify the dhcpcd.conf file by running the following command:

sudo nano /etc/dhcpcd.conf

Important Note: If you’re on Raspbian stretch then wlan0 and eth0 may need to be changed if predictable network names is turned on. Use the ifconfig command to see the new names, they’re likely quite long and will contain the MAC address.

Make sure you update these for all the commands in this tutorial.

6. Within this file we need to add the following lines, make sure you replace eth0 with the correct interface of your ethernet.

interface eth0

static ip_address=192.168.220.1/24

static routers=192.168.220.0

Now we can save and quit out of the file by pressing Ctrl+X then pressing Y and then Enter .

7. With our changes made to dhcpcd configuration we should now restart the service by running the following command:

sudo service dhcpcd restart

8. Before we get started with modifying dnsmasq’s configuration we will first make a backup of the original configuration by running the following command.

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

9. With the original configuration now backed up and moved out of the way we can now move on and create our new configuration file by typing the command below into the terminal.

sudo nano /etc/dnsmasq.conf

10. Now that we have our new file created we want to add the lines below, these lines basically tell the dnsmasq package how to handle DNS and DHCP traffic.

interface=eth0 # Use interface eth0

listen-address=192.168.220.1 # Specify the address to listen on

bind-interfaces # Bind to the interface

server=8.8.8.8 # Use Google DNS

domain-needed # Don’t forward short names

bogus-priv # Drop the non-routed address spaces.

dhcp-range=192.168.220.50,192.168.220.150,12h # IP range and lease time

Now we can save and quit out of the file by pressing Ctrl+X then pressing Y and then Enter .

11. We now need to configure the Raspberry Pi’s firewall so that it will forward all traffic from our eth0 connection over to our wlan0 connection. Before we do this we must first enable ipv4p IP Forwarding through the sysctl.conf configuration file, so let’s begin editing it with the following command:

sudo nano /etc/sysctl.conf

12. Within this file you need to find the following line, and remove the # from the beginning of it.

Find:

#net.ipv4.ip_forward=1

Replace with:

net.ipv4.ip_forward=1

Now we can save and quit out of the file by pressing Ctrl+X then pressing Y and then Enter .

13. Now since we don’t want to have to wait until the next reboot before the configuration is loaded in, we can run the following command to enable it immediately.

sudo sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”

14. Now that IPv4 Forwarding is enabled we can reconfigure our firewall so that traffic is forwarded from our eth0 interface over to our wlan0 connection. Basically this means that anyone connecting to the ethernet will be able to utilize our wlan0 internet connection.

Run the following commands to add our new rules to the iptable:

sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT

Note: If you get errors when entering the above lines simply reboot the Pi using sudo reboot.

15. Of course iptables are flushed on every boot of the Raspberry Pi so we will need to save our new rules somewhere so they are loaded back in on every boot.

To save our new set of rules run the following command.

sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”

16. Now with our new rules safely saved somewhere we need to make this file be loaded back in on every reboot. The most simple way to handle this is to modify the rc.local file.

Run the following command to begin editing the file.

sudo nano /etc/rc.local

17. Now we are in this file, we need to add the line below. Make sure this line appears above exit 0 . This line basically reads the settings out of our iptables.ipv4.nat file and loads them into the iptables.

Find:

exit 0

Add Above:

iptables-restore < /etc/iptables.ipv4.nat

Now we can save and quit out of the file by pressing Ctrl+X then pressing Y and then Enter .

18. Finally all we need to do is start our dnsmasq service. To do this, all you need to do is run the following command:

sudo service dnsmasq start

19. Now you should finally have a fully operational Raspberry Pi WiFi Bridge, you can ensure this is working by plugging any device into its Ethernet port, the bridge should provide an internet connection to the device you plugged it into.

To ensure everything will run smoothly it’s best to try rebooting now. This will ensure that everything will successfully re-enable when the Raspberry Pi is started back up. Run the following command to reboot the Raspberry Pi:

sudo reboot

Setting up the Raspberry Pi WiFi Bridge with a VPN

This tutorial is fully compatible with the basic VPN router tutorial. However there is one small change you will have to make in step 13, rather than using the commands showcased there, run the commands below.

Basically the main change you will see here is that instead of redirecting the traffic from wlan0 through the tunnel we will be redirecting the traffic from our eth0 connection to the tunnel.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

The rest of the VPN Access Point tutorial can be done without any other changes.

Hopefully by now you should have a fully operational Raspberry Pi WiFi Bridge.This manual was provided by pimylife.com.

3 Likes

Hi,
This is my 1st post in the ROON community so be patient with me…
I have spent a few weeks tinkering with my 2 Roon ROCK NUCs. I decided to convert both of them to LINUX Boxes and decided to install the latest Debian version. I subsequently install OpenVPN on the same box to attempt to get ROON to talk to my iphones while on the road…

I found the way to set this up with 2 OPENVPN interfaces running on the ROON Box at the same time; one for TUN and one TAP. My laptop uses the bridge and my iPhone the tunnel. I can now say that both works. I can access all my devices, surf the Internet AND use the ROON remote. Below is a snapshot on how I configured this setup.

DD-WRT LAN Router w/ 192.168.0.1 Gateway

Roon Server on Debian Linux

OPENVPN Server on Roon Box with br0 @ 192.168.0.2
TAP interface through 192.168.0.2
TUN interface through 10.8.0.1

LAN DD-WRT Router iptables

iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT WAN_IF="$(ip route | awk ‘/^default/{print $NF}’)" iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE

LAN DD-WRT (Setup – Advanced Routing - Static Routing)

Masquerade Route (NAT): Select

Destination LAN NET: 10.8.0.0

Subnet Mask: 255.255.255.0

Gateway: 192.168.0.2


Setup both TUN and TAP interfaces on OPENVPN

Can access Roon on both interfaces with Laptop and iphone

I can now listen to my ROON box while in the car… Hurrah.

Regards,

3 Likes

Very nice.

I’ll have to dig into that.
I have a pfSense firewall and have already an PenVPN server running.

Anyone had any luck recently with VPN access from an iPhone.
I feel like I’m pretty close…

i am contecting to a Vigor 2860 router which has a built in VPN server.
I’ve configured that as a L2TP (AES-SHA1 Auth) VPN.
my Iphone connects fine and ends up with an IP on the same subset as my roon core (which is running on a windows server machine)

When I the roon app on my iphone, it get stuck on the ‘Choose your roon core screen’
If I look at a roon app on a pc, I see that my Iphone has appeared a audio device.
But this is no zone for it.

Here’s the wierd thing:
If I start my iphone roon app when I am on Wifi, it find the Roon core server.
If I leave the app running, turn off wifi and connect via the VPN, the iphone roon apps loses the connection for a second and is then able to reconnect and works fine.

So, it seems that it is does work apart from that inital iphone app looking for the roon core.
Does anyone know how the app looks for the core?
Are there any specific protocols which are needed to be enabled? (I read IGMP with Snooping is, and that’s on)
Thanks

Yep running ROONcore on MacMini server 5.7 and Raspberypi VPN server with SoftEtherVPN server. Flauwless no issues connecting to iPhone 7, Xr and many others…

Hi Hilton.
Did you put the step by step guide together in any form?
Please point me to it if you did.
Many thanks.

Hey @Max_Mackenzie,
Thanks for posting that info, I have a spare Raspberry Pi so I might try and give that a go. Could I trouble you for some more details to get me started?
I assume the RoonCore and Raspberry Pi are on the same subnet.
Which VPN protocol do you use from the iphone to the raspberry pi?
Did you have to do port forwarding from your router to the pi?
Any specific setting on the vpn get Roon discoverable / The player working?
I am very keen to get this working after having no luck with with VPN server built into my router…
Thanks alot.
Guy

hi Guy I used the site Softether.org

https://www.softether.org/4-docs/1-manual/7._Installing_SoftEther_VPN_Server/7.3_Install_on_Linux_and_Initial_Configurations

and the best is to go for a 16 GB flashcard for the VPNserver and Raspi3 or Raspi4
The core and Pi3 do not need to be on the same subnet - here I have two VLANs and the main thing is ROON core only advertise on ONE net not multi - SO be sure the subnets all are accessible both sides v.v. if not you will see a Connection to the core but NO data …is popping up in the client. Indeed you need to forward several ports for ROON to the VPN server … these are UPD 500, 1701, 4500 TCP/UDP 9100-9200 and TCP 1723

Mind installation of VPN server is pretty straight forward, and also ports not to difficult, but Make sure you set ups IP/SEC L2TP otherwise NO work :slight_smile:

For iPhone I use the regular VPN IPSEC

hope it helps a little… regards,
Max

1 Like

And … the easiest way is to have it on the same subnet Core and VPN - if you Donot have mesh subsets… you are good to go - here I have a few roaming around and … this could be pesky when starting the router or DHCP

1 Like

Easiest solution for laptop so far.

1 Like

Hi @Max_Mackenzie,
OMG! it worked!!! I am beyond happy :slight_smile:
The setup was pretty straight forward.
I didn’t have to forward any of the ports you mentioned to get it to work… Is that becuase the VPN server is on the same subnet as the Core server?
I’ve tested it over 4G and it worked perfectly.
One odd thing, I have to disable WIFI for roon to see the iPhone as an audio device. If I don’t it just get stuck trying to enable the audio device. Can you imagine why?
Thanks again for the tips. much appreciated.

For anyone else who wants to give it a go. I did the following:

  1. Create an SD card image (standard Raspian) with this app: https://www.raspberrypi.org/downloads/
  2. Booted the Pi with the sd card with a montior, keyboard and mouse.
  3. Assigned the Pi a fixed ip (DHCP allocated)
  4. Updated all the software to the latest and enabled SSH and VNC from the menu
  5. Followed this video pretty much to the letter to setup SoftEther: https://www.youtube.com/watch?v=uOP7XyRweRw
  6. Port forwarded ports UDP 500 and 4500 to the VPN server.
  7. Setup an L2TP vpn on my iphone. notes on the fields:
    Server: You will need to have a Static public IP or use a DNS service to map to your dynamic
    Account: will be the you login name @ Virtual hub name. So if you user is ‘fred’ and your virtual hub was ‘remote’, your login should be ‘fred@remote’
    Secret: is the IP pre-shared key from the IPSec/L2TP/EtherIP/L2TPv3 Sever setting page on softether server

Enjoy

2 Likes

Good work Guy! Awesome !!! Disconnect WiFi I assume that ROON is single point and get confused with multipoint - here I run two VLAN and need to have two IP’s one for wired and one for WiFi otherwise remotes do not see ROON and the remotes are connecting to VLAN 2 But the Core is quietly running in VLAN 1

So I expect you are a happy camper now :wink: all the best Regards Max

Very happy indeed :slight_smile:

One thing I’d like to try is whether I can run from another house which has a LAN to LAN VPN. I do that at my dad’s house (and work). I wonder whether it’l work off the WIFI there connecting back to my place

Reason for no port forwarding means that all traffic to your lan is without restrictions meaning hacker and Trojan friendly… my advise is to block
All unnecessary ports and use https because one day you will be the lucky one who has to pay to decrypt your own data… it is just a warning :warning: best regards Max

Sorry, my mistake, I had opened the roon ports previous on my server trying, trying to get the VPN working.
All my machine run windows firewall with the default settings. I only have the VPN and a couple of other external ports forwarded.
But I do only use one LAN (i don’t use VLANS).
Do you think running VLANs is worth it?
And when you say ‘use https’ at what point do you mean that should be used? Internally or externally?
Thanks, you’ve got me a bit worried now! :slight_smile:

Maybe it’s just my lack of knowledge but I’m running ExpressVPN on my Win10 Core through one server somewhere out there and on my iPhone 11 Pro Max, also running ExpressVPN but through a different server and everything woks perfectly fine.

1 Like